7 ways government is working to improve FedRAMP

GSA's McClure tackles myths about program, lists areas tiger teams are working on

By Rutrell Yasin

Mar 23, 2011

Five new tiger teams of representatives from across government are
working to improve the Federal Risk Authorization and Management Program
(FedRAMP) based on feedback submitted during the public comment
process, the General Services Administration’s David McClure told
attendees today at a symposium on high-performance cloud computing in
Washington, D.C.

McClure provided a short list of concerns that GSA and government
partners are working on to improve FedRAMP and sought to dispel myths
about the security accreditation and authorization program designed to
vet cloud providers and services.

There are still some misunderstandings surrounding FedRAMP, said
McClure, associate administrator with GSA’s Office of Citizen Services
and Innovative Technologies.

A big myth is that with FedRAMP the government is “blowing up [the
Federal Information Security Management Act] and completely redesigning
the security approach to the federal government,” McClure said during
the symposium sponsored by AFCEA's Bethesda chapter at the Willard
InterContinental Hotel.

Instead, FedRAMP’s “focus is to improve the security accreditation
process by using an approach that can be vetted and reused across the
government,” McClure said. The goal is to implement it once, use it many
times and bring some consistency to how this is being done. Hopefully,
this also will lower the cost for the security process, he said.

GSA released a draft version of FedRAMP security controls in
October 2010 with the intention of issuing the first version by the end
of December. However, after reviewing public comments, federal CIO Vivek
Kundra, GSA and other officials decided to step back and make sure that
critical issues were properly addressed. In fact, GSA extended public
comments to January 2011.

“We could have issued FedRAMP Version 1," McClure said. "It would
have been OK but would not have resolved critical issues in the security
process."

FedRAMP is now slated for release by the end of the summer.

Cloud computing, an on-demand model that allows access to shared
computing resources, does introduce some unique security requirements.
So the government is looking at FISMA and the National Institute of
Standards and Technology security series 800 guidelines to determine
what applies in the cloud and the different cloud delivery models, which
include infrastructure as a service, software as a service and platform
as a service.

“So we have assembled five new tiger teams comprised of
representatives from all around government” to address industry and
others concerns about FedRAMP, McClure said, noting another
myth-buster: that FedRAMP is not a GSA process. It is governmentwide and
community-driven, he said. Agencies contributing to the process include
the Defense and Homeland Security departments, the Federal CIO Council,
NIST, the National Security Agency and, at times, the intelligence
community. Industry has regularly been brought in as well.

Thousands of comments were submitted, but here is a short list of areas the government is working on to improve FedRAMP:

1. Too many controls and controls for different risk levels.

The government is working to reduce the number of security controls
that will be tested. GSA and others cannot eliminate all controls
because many are stringent and necessary to secure government computers.
However, the government is trying to differentiate between controls at
the low-, medium- and high-risk levels – all of the objectives of FISMA
but right now these are blurred. Right now, the focus is on all security
on or all security off. That has to change, McClure said.

2. More guidance on third-party assessors’ independence.

Who assesses the cloud provider? Some service providers pick the
organizations that assess them and then provide reports to the
government. This is equivalent to someone picking his or her own home
improvement inspector whentrying to sell a house, McClure said. There
are options such as having government entities do the assessment. The
government is exploring a NIST suggestion to come up with a model
similar to consumer product testing or the standards health area where
there is an accreditation board. This world-class board would have the
independence to approve a set of accredited assessors, McClure said.

3. Continuous monitoring raises data concerns.

FedRAMP is moving toward a continuous monitoring approach, which
focuses on the availability of real-time data about a system’s security
posture. For a cloud provider the question is, “Do you want to give up
that data for continuous monitoring?” McClure said. Often that data
contains very sensitive information.

4. What is the role of the Joint Authorization Board?

The Joint Authorization Board consists of the Defense and Homeland
Security departments, GSA and a sponsoring agency looking for
accreditation for the cloud provider coming together to certify an
Authorization to Operate. How does that work? Does the JAB have or want
the authority governmentwide? Does it have the ability legally to grant
authority for another agency? “We are working that out [now] and there
are ways to solve” these issues, McClure said.

5. What will be the role of government security operation centers?

A big question is about where the monitoring data goes on a regular
basis. “Do we create a new bureaucracy, a security operating center in
one place where everything is fed into?” McClure asked, or should the
government use existing security operation centers? This is another area
that the government is working on, he said, adding that the government
is not trying to create bureaucracy or another chokepoint for everything
being used.

6. How does the government ensure that FedRAMP is complaint with the Trusted Internet Connection?

TIC is an Office of Management and Budget initiative to reduce the
number external communication and Internet points of connections within
agencies. This is another sensitive issue, McClure said.

7. What are the different security controls for the different cloud delivery models – IaaS, PaaS and SaaS?

“Aren’t there differences in these cloud services that warrant different types of controls and assessment?" McClure said. These are things that have been worked out better in the second round.

"These are just minor things, right?" McClure joked.

The bottom line: FedRAMP is trying to produce a security baseline in a
transparent fashion, McClure said. “If we do not have transparency and
trust in this environment, it will not work."